mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Analyzer failure logging: tweaks and test fixes
The main part of this commit are changes in tests. A lot of the tests that previously relied on analyzer.log or dpd.log now use the new analyzer-failed.log. I verified all the changes and, as far as I can tell, everything behaves as it should. This includes the external test baselines. This change also enables logging of file and packet analyzer to analyzer_failed.log and fixes some small behavior issues. The analyzer_failed event is no longer raised when the removal of an analyzer is vetoed. If an analyzer is no longer active when an analyzer violation is raised, currently the analyzer_failed event is raised. This can, e.g., happen when an analyzer error happens at the very end of the connection. This makes the behavior more similar to what happened in the past, and also intuitively seems to make sense. A bug introduced in the failed service logging was fixed.
This commit is contained in:
Johanna Amann
parent
8c814fa88c
commit
af77a7a83b
143 changed files with 4523 additions and 4329 deletions
|
|
@ -1,19 +0,0 @@
|
|||
# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT
|
||||
# @TEST-EXEC: mv analyzer.log analyzer.log-default
|
||||
# @TEST-EXEC: btest-diff analyzer.log-default
|
||||
|
||||
# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT Analyzer::Logging::include_confirmations=T
|
||||
# @TEST-EXEC: mv analyzer.log analyzer.log-include-confirmations
|
||||
# @TEST-EXEC: btest-diff analyzer.log-include-confirmations
|
||||
|
||||
# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT Analyzer::Logging::include_disabling=T
|
||||
# @TEST-EXEC: mv analyzer.log analyzer.log-include-disabling
|
||||
# @TEST-EXEC: btest-diff analyzer.log-include-disabling
|
||||
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/dns
|
||||
@load base/protocols/socks
|
||||
|
||||
# DCE RPC violations are ignored by default. Consider violations for this
|
||||
# test so that the analyzer will be disabled eventually.
|
||||
redef DPD::ignore_violations -= { Analyzer::ANALYZER_DCE_RPC };
|
||||
|
|
@ -2,7 +2,12 @@
|
|||
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/ntlm-empty-av-sequence.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff ntlm.log
|
||||
# @TEST-EXEC: btest-diff dpd.log
|
||||
# @TEST-EXEC: btest-diff analyzer_failed.log
|
||||
|
||||
@load frameworks/analyzer/analyzer-debug-log.zeek
|
||||
@load base/protocols/dce-rpc
|
||||
@load base/protocols/ntlm
|
||||
|
||||
# ntlm by default excludes itself from analyzer logging
|
||||
|
||||
redef DPD::ignore_violations = {};
|
||||
|
|
|
|||
|
|
@ -2,7 +2,11 @@
|
|||
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/ntlm-unterminated-av-sequence.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff ntlm.log
|
||||
# @TEST-EXEC: btest-diff dpd.log
|
||||
# @TEST-EXEC: btest-diff analyzer_failed.log
|
||||
|
||||
@load base/protocols/dce-rpc
|
||||
@load base/protocols/ntlm
|
||||
|
||||
# ntlm by default excludes itself from analyzer logging
|
||||
|
||||
redef DPD::ignore_violations = {};
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# @TEST-EXEC: zeek -b -r $TRACES/ftp/ftp-invalid-reply-code.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ftp.log
|
||||
# @TEST-EXEC: btest-diff dpd.log
|
||||
# @TEST-EXEC: btest-diff analyzer_failed.log
|
||||
# @TEST-EXEC: test ! -f reporter.log
|
||||
|
||||
@load base/protocols/conn
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# @TEST-EXEC: zeek -b -r $TRACES/ftp/ftp-missing-reply-code.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ftp.log
|
||||
# @TEST-EXEC: btest-diff dpd.log
|
||||
# @TEST-EXEC: btest-diff analyzer_failed.log
|
||||
# @TEST-EXEC: test ! -f reporter.log
|
||||
|
||||
@load base/protocols/conn
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# @TEST-EXEC: zeek -b -r $TRACES/ftp/ftp-missing-space-after-reply-code.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ftp.log
|
||||
# @TEST-EXEC: btest-diff dpd.log
|
||||
# @TEST-EXEC: btest-diff analyzer_failed.log
|
||||
# @TEST-EXEC: test ! -f reporter.log
|
||||
|
||||
@load base/protocols/conn
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
#
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/websocket.pcap %INPUT
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
# @TEST-EXEC: test ! -f dpd.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
# @TEST-EXEC: btest-diff websocket.log
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
|
@ -25,7 +25,7 @@ hook WebSocket::configure_analyzer(c: connection, aid: count, config: WebSocket:
|
|||
# The originator's WebSocket frames match HTTP, so DPD would
|
||||
# enable HTTP for the frame's payload, but the responder's frames
|
||||
# contain some ack/status junk just before HTTP response that
|
||||
# trigger a violation. Disable DPD for to prevent a dpd.log
|
||||
# trigger a violation. Disable DPD for to prevent a analyzer_failed.log
|
||||
# entry.
|
||||
config$use_dpd = F;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# @TEST-EXEC: zeek -b -r $TRACES/http/http-11-request-then-cruft.pcap %INPUT > output
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
# @TEST-EXEC: btest-diff weird.log
|
||||
# @TEST-EXEC: btest-diff dpd.log
|
||||
# @TEST-EXEC: btest-diff analyzer_failed.log
|
||||
|
||||
@load base/protocols/http
|
||||
@load base/frameworks/notice/weird
|
||||
|
|
|
|||
|
|
@ -5,7 +5,6 @@
|
|||
# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ldap.log
|
||||
# @TEST-EXEC: ! test -f dpd.log
|
||||
# @TEST-EXEC: ! test -f analyzer.log
|
||||
# @TEST-EXEC: ! test -f analyzer_failed.log
|
||||
#
|
||||
# @TEST-DOC: The addRequest/addResponse operation is not implemented, yet we process it.
|
||||
|
|
|
|||
|
|
@ -7,6 +7,6 @@
|
|||
# @TEST-EXEC: btest-diff ldap.log
|
||||
# @TEST-EXEC: btest-diff ldap_search.log
|
||||
# @TEST-EXEC: ! test -f weird.log
|
||||
# @TEST-EXEC: ! test -f dpd.log
|
||||
# @TEST-EXEC: ! test -f analyzer_failed.log
|
||||
#
|
||||
# @TEST-DOC: Test LDAP analyzer with SASL encrypted payloads.
|
||||
|
|
|
|||
|
|
@ -6,7 +6,6 @@
|
|||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ldap.log
|
||||
# @TEST-EXEC: btest-diff ldap_search.log
|
||||
# @TEST-EXEC: ! test -f dpd.log
|
||||
# @TEST-EXEC: ! test -f analyzer.log
|
||||
# @TEST-EXEC: ! test -f analyzer_failed.log
|
||||
#
|
||||
# @TEST-DOC: This broke after #3826 got merged
|
||||
|
|
|
|||
|
|
@ -6,7 +6,6 @@
|
|||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ldap.log
|
||||
# @TEST-EXEC: btest-diff ldap_search.log
|
||||
# @TEST-EXEC: ! test -f dpd.log
|
||||
# @TEST-EXEC: ! test -f analyzer.log
|
||||
# @TEST-EXEC: ! test -f analyzer_failed.log
|
||||
#
|
||||
# @TEST-DOC: This broke after #3826 got merged
|
||||
|
|
|
|||
|
|
@ -6,6 +6,6 @@
|
|||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ldap.log
|
||||
# @TEST-EXEC: btest-diff ldap_search.log
|
||||
# @TEST-EXEC: ! test -f dpd.log
|
||||
# @TEST-EXEC: ! test -f analyzer_failed.log
|
||||
#
|
||||
# @TEST-DOC: Test LDAP analyzer with GSS-API integrity traffic where we can still peak into LDAP wrapped into WRAP tokens.
|
||||
|
|
|
|||
|
|
@ -6,6 +6,6 @@
|
|||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ldap.log
|
||||
# @TEST-EXEC: btest-diff ldap_search.log
|
||||
# @TEST-EXEC: ! test -f dpd.log
|
||||
# @TEST-EXEC: ! test -f analyzer_failed.log
|
||||
#
|
||||
# @TEST-DOC: Test LDAP analyzer with GSS-API integrity traffic where we can still peak into LDAP wrapped into WRAP tokens.
|
||||
|
|
|
|||
|
|
@ -5,7 +5,6 @@
|
|||
# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ldap.log
|
||||
# @TEST-EXEC: ! test -f dpd.log
|
||||
# @TEST-EXEC: ! test -f analyzer.log
|
||||
# @TEST-EXEC: ! test -f analyzer_failed.log
|
||||
#
|
||||
# @TEST-DOC: SASL authentication using SRP (Secure Remote Password)
|
||||
|
|
|
|||
|
|
@ -9,7 +9,6 @@
|
|||
# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ldap.log
|
||||
# @TEST-EXEC: ! test -f dpd.log
|
||||
# @TEST-EXEC: ! test -f analyzer.log
|
||||
# @TEST-EXEC: ! test -f analyzer_failed.log
|
||||
#
|
||||
# @TEST-DOC: SASL bindRequest with SPNEGO NTLMSSP.
|
||||
|
|
|
|||
|
|
@ -7,8 +7,7 @@
|
|||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ldap.log
|
||||
# @TEST-EXEC: btest-diff ssl.log
|
||||
# @TEST-EXEC: ! test -f dpd.log
|
||||
# @TEST-EXEC: ! test -f analyzer.log
|
||||
# @TEST-EXEC: ! test -f analyzer_failed.log
|
||||
#
|
||||
# @TEST-DOC: LDAP supports StartTLS through extendedRequest 1.3.6.1.4.1.1466.20037
|
||||
|
||||
|
|
|
|||
|
|
@ -6,8 +6,7 @@
|
|||
# @TEST-EXEC: btest-diff out
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ldap.log
|
||||
# @TEST-EXEC: ! test -f dpd.log
|
||||
# @TEST-EXEC: ! test -f analyzer.log
|
||||
# @TEST-EXEC: ! test -f analyzer_failed.log
|
||||
#
|
||||
# @TEST-DOC: Testing OpenLDAP's ldapwhoami utility with simple authentication.
|
||||
|
||||
|
|
|
|||
|
|
@ -23,10 +23,12 @@
|
|||
#
|
||||
# @TEST-REQUIRES: ! have-spicy-ssl
|
||||
#
|
||||
# @TEST-EXEC: zeek -r $TRACES/modbus/modbus-and-non-modbus-p502.pcap
|
||||
# @TEST-EXEC: zeek -r $TRACES/modbus/modbus-and-non-modbus-p502.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff modbus.log
|
||||
# @TEST-EXEC: btest-diff analyzer.log
|
||||
# @TEST-EXEC: btest-diff analyzer_debug.log
|
||||
|
||||
# The pcap has non Modbus traffic (i.e., DCERPC, HTTP, Magellan, NFS, RDP, TLS) on TCP port 502.
|
||||
# This traffic should not be labelled as Modbus in conn.log, and not generate any Modbus events.
|
||||
|
||||
@load frameworks/analyzer/analyzer-debug-log.zeek
|
||||
|
|
|
|||
|
|
@ -2,8 +2,9 @@
|
|||
# @TEST-EXEC: zeek -b -r $TRACES/pop3/bad-list-retr-crafted.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff weird.log
|
||||
# @TEST-EXEC: btest-diff analyzer.log
|
||||
# @TEST-EXEC: btest-diff analyzer_debug.log
|
||||
|
||||
@load frameworks/analyzer/analyzer-debug-log.zeek
|
||||
@load base/frameworks/notice/weird
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/pop3
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff out
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
|
||||
@load base/frameworks/notice/weird
|
||||
@load base/protocols/conn
|
||||
|
|
|
|||
|
|
@ -3,8 +3,9 @@
|
|||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff out
|
||||
# @TEST-EXEC: btest-diff weird.log
|
||||
# @TEST-EXEC: btest-diff analyzer.log
|
||||
# @TEST-EXEC: btest-diff analyzer_debug.log
|
||||
|
||||
@load frameworks/analyzer/analyzer-debug-log.zeek
|
||||
@load base/frameworks/notice/weird
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/pop3
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
|
||||
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/bad-backend-message-1.pcap %INPUT
|
||||
# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut
|
||||
# @TEST-EXEC: zeek-cut -m < analyzer.log > analyzer.cut
|
||||
# @TEST-EXEC: zeek-cut -m < analyzer_failed.log > analyzer.cut
|
||||
#
|
||||
# @TEST-EXEC: btest-diff conn.cut
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -r 's,(.*) \(/[^\)]+\),\1 (...),'" btest-diff analyzer.cut
|
||||
|
|
|
|||
|
|
@ -3,11 +3,12 @@
|
|||
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
|
||||
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/http-on-port-5432.pcap %INPUT >output
|
||||
# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service < conn.log > conn.cut
|
||||
# @TEST-EXEC: zeek-cut -m < analyzer.log > analyzer.cut
|
||||
# @TEST-EXEC: zeek-cut -m < analyzer_debug.log > analyzer.cut
|
||||
#
|
||||
# @TEST-EXEC: btest-diff conn.cut
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -r 's,(.*) \(/[^\)]+\),\1 (...),'" btest-diff analyzer.cut
|
||||
# @TEST-EXEC: test ! -f postgresql.log
|
||||
|
||||
@load frameworks/analyzer/analyzer-debug-log.zeek
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/postgresql
|
||||
|
|
|
|||
|
|
@ -3,11 +3,12 @@
|
|||
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
|
||||
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/mysql-on-port-5432.pcap %INPUT >output
|
||||
# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service < conn.log > conn.cut
|
||||
# @TEST-EXEC: zeek-cut -m < analyzer.log > analyzer.cut
|
||||
# @TEST-EXEC: zeek-cut -m < analyzer_debug.log > analyzer.cut
|
||||
#
|
||||
# @TEST-EXEC: btest-diff conn.cut
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -r 's,(.*) \(/[^\)]+\),\1 (...),'" btest-diff analyzer.cut
|
||||
# @TEST-EXEC: test ! -f postgresql.log
|
||||
|
||||
@load frameworks/analyzer/analyzer-debug-log.zeek
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/postgresql
|
||||
|
|
|
|||
|
|
@ -3,6 +3,8 @@
|
|||
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
|
||||
# @TEST-EXEC: zeek -Cr $TRACES/quic/383379789-decrypt-crash.pcap base/protocols/quic %INPUT
|
||||
# @TEST-EXEC: zeek-cut -m ts uid proto history service < conn.log > conn.log.cut
|
||||
# @TEST-EXEC: zeek-cut -m ts uid cause analyzer_kind analyzer_name failure_reason < analyzer.log > analyzer.log.cut
|
||||
# @TEST-EXEC: zeek-cut -m ts cause uid analyzer_kind analyzer_name failure_reason < analyzer_debug.log > analyzer_debug.log.cut
|
||||
# @TEST-EXEC: btest-diff conn.log.cut
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER='sed -E "s/\((.+)\.spicy:[0-9]+:[0-9]+(-[0-9]+:[0-9]+)?\)/(\1.spicy:<location>)/g" | $SCRIPTS/diff-remove-abspath' btest-diff analyzer.log.cut
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER='sed -E "s/\((.+)\.spicy:[0-9]+:[0-9]+(-[0-9]+:[0-9]+)?\)/(\1.spicy:<location>)/g" | $SCRIPTS/diff-remove-abspath' btest-diff analyzer_debug.log.cut
|
||||
|
||||
@load frameworks/analyzer/analyzer-debug-log.zeek
|
||||
|
|
|
|||
|
|
@ -7,4 +7,4 @@
|
|||
# @TEST-EXEC: btest-diff ssl.log
|
||||
# @TEST-EXEC: btest-diff quic.log
|
||||
# @TEST-EXEC: btest-diff .stderr
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
|
|
|
|||
|
|
@ -7,4 +7,4 @@
|
|||
# @TEST-EXEC: btest-diff ssl.log
|
||||
# @TEST-EXEC: btest-diff quic.log
|
||||
# @TEST-EXEC: btest-diff .stderr
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
|
|
|
|||
|
|
@ -7,4 +7,4 @@
|
|||
# @TEST-EXEC: btest-diff ssl.log
|
||||
# @TEST-EXEC: btest-diff quic.log
|
||||
# @TEST-EXEC: btest-diff .stderr
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
|
|
|
|||
|
|
@ -3,12 +3,14 @@
|
|||
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
|
||||
# @TEST-EXEC: zeek -Cr $TRACES/quic/vector-max-size-crash.pcap base/protocols/quic %INPUT > out
|
||||
# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
|
||||
# @TEST-EXEC: zeek-cut -m ts uid cause analyzer_kind analyzer_name failure_reason < analyzer.log > analyzer.log.cut
|
||||
# @TEST-EXEC: zeek-cut -m ts cause uid analyzer_kind analyzer_name failure_reason < analyzer_debug.log > analyzer_debug.log.cut
|
||||
# @TEST-EXEC: btest-diff conn.log.cut
|
||||
# @TEST-EXEC: btest-diff out
|
||||
# @TEST-EXEC: btest-diff quic.log
|
||||
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER='sed -E "s/\((.+)\.spicy:[0-9]+:[0-9]+(-[0-9]+:[0-9]+)?\)/(\1.spicy:<location>)/g" | $SCRIPTS/diff-remove-abspath' btest-diff analyzer.log.cut
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER='sed -E "s/\((.+)\.spicy:[0-9]+:[0-9]+(-[0-9]+:[0-9]+)?\)/(\1.spicy:<location>)/g" | $SCRIPTS/diff-remove-abspath' btest-diff analyzer_debug.log.cut
|
||||
|
||||
@load frameworks/analyzer/analyzer-debug-log.zeek
|
||||
|
||||
event QUIC::unhandled_version(c: connection, is_orig: bool, version: count, dcid: string, scid: string)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -1,8 +1,9 @@
|
|||
# Tests a pcap that has a known-invalid length in a RDP_Negotiation_Response
|
||||
# header, ensuring that it throws a binpac exception and reports a notice to
|
||||
# analyzer.log. The pcap used is a snippet of a pcap from OSS-Fuzz #57109.
|
||||
# analyzer_failed.log. The pcap used is a snippet of a pcap from OSS-Fuzz #57109.
|
||||
|
||||
# @TEST-EXEC: zeek -C -b -r $TRACES/rdp/rdp-invalid-length.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff analyzer.log
|
||||
# @TEST-EXEC: btest-diff analyzer_debug.log
|
||||
|
||||
@load base/protocols/rdp
|
||||
@load frameworks/analyzer/analyzer-debug-log.zeek
|
||||
@load base/protocols/rdp
|
||||
|
|
|
|||
|
|
@ -3,8 +3,7 @@
|
|||
# @TEST-EXEC: zeek -b -r $TRACES/rdp/rdp-no-cookie-mstshash.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff rdp.log
|
||||
# @TEST-EXEC: btest-diff ssl.log
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f dpd.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
|
||||
@load base/protocols/rdp
|
||||
@load base/protocols/ssl
|
||||
|
|
|
|||
|
|
@ -1,8 +1,9 @@
|
|||
#@TEST-EXEC: zeek -b -C -r $TRACES/smb/smb1-OSS-fuzz-54883.pcap %INPUT
|
||||
#@TEST-EXEC: btest-diff analyzer.log
|
||||
#@TEST-EXEC: btest-diff analyzer_debug.log
|
||||
#@TEST-EXEC: ! test -f reporter.log
|
||||
|
||||
@load base/protocols/smb
|
||||
@load frameworks/analyzer/analyzer-debug-log.zeek
|
||||
|
||||
# The traffic generated by OSS Fuzz is broken to the extreme, ensure
|
||||
# the analyzer isn't disabled so the original scripting issue triggers.
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/smb/smb2readwrite.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff smb_files.log
|
||||
# @TEST-EXEC: btest-diff files.log
|
||||
# @TEST-EXEC: test ! -f dpd.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
|
||||
@load base/protocols/smb
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# @TEST-DOC: Tests handling of PDUs containing error ioctls with byte lengths of zero
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/smb/smb2-zero-byte-error-ioctl.pcap %INPUT 2>&1 >out
|
||||
# @TEST-EXEC: ! test -f analyzer.log
|
||||
# @TEST-EXEC: ! test -f analyzer_failed.log
|
||||
# @TEST-EXEC: btest-diff out
|
||||
|
||||
@load base/protocols/smb
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# @TEST-EXEC: btest-diff smb_files.log
|
||||
# @TEST-EXEC: btest-diff smb_mapping.log
|
||||
# @TEST-EXEC: btest-diff files.log
|
||||
# @TEST-EXEC: test ! -f dpd.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# @TEST-EXEC: zeek -b -r $TRACES/smb/smb3_multichannel.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff smb_files.log
|
||||
# @TEST-EXEC: test ! -f dpd.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
|
||||
@load base/protocols/smb
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/smb/smb3.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff smb_mapping.log
|
||||
# @TEST-EXEC: test ! -f dpd.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# @TEST-EXEC: zeek -b -C -r $TRACES/smb/smb311.pcap %INPUT
|
||||
# @TEST-EXEC: test ! -f dpd.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
# Tests processing of half-duplex client-side connections, including no
|
||||
# analyzer.log output.
|
||||
# analyzer_failed.log output.
|
||||
|
||||
# @TEST-EXEC: zeek -r $TRACES/ssh/ssh.client-side-half-duplex.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff analyzer.log
|
||||
# @TEST-EXEC: btest-diff analyzer_debug.log
|
||||
# @TEST-EXEC: btest-diff ssh.log
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load frameworks/analyzer/analyzer-debug-log.zeek
|
||||
|
||||
|
|
|
|||
|
|
@ -1,8 +1,10 @@
|
|||
# Tests processing of half-duplex server-side connections, including no
|
||||
# analyzer.log output.
|
||||
# analyzer_failed.log output.
|
||||
|
||||
# @TEST-EXEC: zeek -r $TRACES/ssh/ssh.server-side-half-duplex.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff analyzer.log
|
||||
# @TEST-EXEC: btest-diff analyzer_debug.log
|
||||
# @TEST-EXEC: btest-diff ssh.log
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load frameworks/analyzer/analyzer-debug-log.zeek
|
||||
|
|
|
|||
|
|
@ -4,4 +4,7 @@
|
|||
# @TEST-EXEC: test ! -f ssh.log
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff analyzer.log
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff analyzer_debug.log
|
||||
|
||||
@load frameworks/analyzer/analyzer-debug-log.zeek
|
||||
|
||||
|
|
|
|||
|
|
@ -3,5 +3,5 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tls/tls-conn-with-extensions.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff ssl.log
|
||||
# @TEST-EXEC: btest-diff x509.log
|
||||
# @TEST-EXEC: test ! -f dpd.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
# @TEST-EXEC: test ! -f files.log
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
# @TEST-EXEC: cat ssl.log >> ssl-all.log
|
||||
# @TEST-EXEC: btest-diff ssl-all.log
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
# @TEST-EXEC: test ! -f dpd.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
|
||||
event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
# @TEST-REQUIRES: ! have-spicy-ssl # DTLS is not supported in Spicy SSL yet
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tls/webrtc-stun.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff ssl.log
|
||||
# @TEST-EXEC: touch dpd.log
|
||||
# @TEST-EXEC: btest-diff dpd.log
|
||||
# @TEST-EXEC: touch analyzer_failed.log
|
||||
# @TEST-EXEC: btest-diff analyzer_failed.log
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/protocols/ssl
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
#
|
||||
# @TEST-EXEC: zeek -r $TRACES/tls/signed_certificate_timestamp_tls1_0.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
# @TEST-EXEC: test ! -f dpd.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
|
||||
redef SSL::ct_logs += {
|
||||
["\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"] = SSL::CTInfo($description="Google 'Aviator' log", $operator="Google", $url="ct.googleapis.com/aviator/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xf4\xcc\x69\xb2\xe4\x0e\x90\xa3\x8a\xea\x5a\x70\x09\x4f\xef\x13\x62\xd0\x8d\x49\x60\xff\x1b\x40\x50\x07\x0c\x6d\x71\x86\xda\x25\x49\x8d\x65\xe1\x08\x0d\x47\x34\x6b\xbd\x27\xbc\x96\x21\x3e\x34\xf5\x87\x76\x31\xb1\x7f\x1d\xc9\x85\x3b\x0d\xf7\x1f\x3f\xe9"),
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# This tests that no error messages are output when a protocol violation occurs
|
||||
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/tls/tls1.2-protocol-violation.pcap %INPUT
|
||||
# @TEST-EXEC: test -f dpd.log
|
||||
# @TEST-EXEC: test -f analyzer_failed.log
|
||||
# @TEST-EXEC: btest-diff .stderr
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
# @TEST-EXEC: zeek -b -r $TRACES/tls/tls1_1.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff ssl.log
|
||||
# @TEST-EXEC: btest-diff x509.log
|
||||
# @TEST-EXEC: test ! -f dpd.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
|
||||
@load base/protocols/ssl
|
||||
@load base/files/x509
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
|
||||
# @TEST-EXEC: btest-diff conn.log.cut
|
||||
# @TEST-EXEC: btest-diff websocket.log
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
|
||||
@load base/protocols/conn
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
# @TEST-EXEC: btest-diff out-coalesced
|
||||
# @TEST-EXEC: btest-diff weird.log
|
||||
# @TEST-EXEC: diff out-separate out-coalesced
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
|
||||
@load base/protocols/websocket
|
||||
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@
|
|||
# @TEST-EXEC: echo "message-too-big-status.pcap" >>out.spicy
|
||||
# @TEST-EXEC: zeek -b -r $TRACES//websocket/message-too-big-status.pcap %INPUT WebSocket::use_spicy_analyzer=T >>out.spicy
|
||||
# @TEST-EXEC: diff -u out.spicy out >&2
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
|
||||
@load base/protocols/websocket
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@
|
|||
# @TEST-EXEC: echo "two-binary-fragments.pcap" >>out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES//websocket/two-binary-fragments.pcap %INPUT >>out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
|
||||
@load base/protocols/websocket
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
#
|
||||
# @TEST-EXEC: btest-diff conn.log.cut
|
||||
# @TEST-EXEC: btest-diff websocket.log
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
|
||||
@load base/protocols/conn
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
# @TEST-EXEC: btest-diff conn.log.cut
|
||||
# @TEST-EXEC: btest-diff http.log.cut
|
||||
# @TEST-EXEC: btest-diff websocket.log
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
|
||||
@load base/protocols/conn
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
# @TEST-EXEC: btest-diff conn.log.cut
|
||||
# @TEST-EXEC: btest-diff ssl.log.cut
|
||||
# @TEST-EXEC: btest-diff websocket.log
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
|
||||
@load base/protocols/conn
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
# @TEST-EXEC: btest-diff conn.log.cut
|
||||
# @TEST-EXEC: btest-diff websocket.log
|
||||
# @TEST-EXEC: test ! -f ssh.log
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/http
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
# @TEST-EXEC: btest-diff conn.log.cut
|
||||
# @TEST-EXEC: btest-diff websocket.log
|
||||
# @TEST-EXEC: test ! -f ssh.log
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/http
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
# @TEST-EXEC: btest-diff conn.log.cut
|
||||
# @TEST-EXEC: btest-diff ssh.log.cut
|
||||
# @TEST-EXEC: btest-diff websocket.log
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
|
||||
@load base/protocols/conn
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
# @TEST-EXEC: btest-diff conn.log.cut
|
||||
# @TEST-EXEC: test ! -f websocket.log
|
||||
# @TEST-EXEC: test ! -f ssh.log
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
|
||||
@load base/protocols/conn
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@
|
|||
# @TEST-EXEC: diff -u ssh.log.cut.spicy ssh.log.cut >&2
|
||||
# @TEST-EXEC: btest-diff conn.log.cut.spicy
|
||||
# @TEST-EXEC: btest-diff ssh.log.cut.spicy
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
|
||||
@load base/protocols/conn
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
# @TEST-EXEC: btest-diff conn.log.cut
|
||||
# @TEST-EXEC: btest-diff ssh.log.cut
|
||||
# @TEST-EXEC: btest-diff websocket.log
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f analyzer_failed.log
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
|
||||
@load base/protocols/conn
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue